I would support the remarks of my colleagues, but I would also, in relation to one specific recommendation, create a legal obligation with government institutions to safeguard personal information. In the age of information technology, we need to be very mindful of the cyber-threats that exist, and we need to put in place the necessary IT security infrastructure in order to protect that information.
I will also say with respect to this recommendation that the approach to safeguard should be risk-based. I say that because some of the security control measures. If they were consistently applied, and if the measures that are put in place by my colleagues at CSIS were then applied to other government information, the costs would be huge. We need to take a measured approach for risk-based safeguards, based on the type of information being held and based on the threats that exit against that information. Then we must put in place measured security controls that will be cost-effective, but also meet the objective of protecting the information.